Hello, everyone!
I have few questions about indexers cleaning:
- How it's performed in clustered architecture?
- Does it really needed? Do I correctly understand that frozen buckets delete automatically?
What do you mean by "indexers cleaning"? What do you expect to happen during this process?
Yes, you understand correctly. By default, frozen buckets are deleted automatically.
I mean cleaning indexers from old logs
"Cleaning" old events from indexes have done by setting size of index (maxTotalDataSizeMB) and/or max lifetime for events (frozenTimePeriodInSecs). There are some other attributes which can fine tune the time and indexes sizes. See those from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf#PER_INDEX_OPTIONS
Here is old conf presentation about Data Lifecycle https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-.... It's still valid, but it don't cover Splunk SmartStore usage which have some other parameters to restrict lifecycle.
r. Ismo
